Everything You Know About Passwords Is Wrong

Cyber-criminals are changing the way the crack passwords. Our tips will keep yours strong.

The 'rules' of creating strong passwords have changed in the past few months. Even when websites describe a password as 'strong' skilled hackers armed with new software could break it easily.

Cybercrime has changed and creating an “unbreakable” password is all but impossible. Criminals no longer hack one PC. They hack a company database (big firms such as LinkedIn, Sony and Adobe) and now steal huge troves of passwords, in encrypted form, and “crack” them over the course of months.

[12 Online Privacy Questions Answered]
[Facebook Scams: How To Spot And Avoid Them]

Sony alone lost 77 million passwords. Given time and enough computing power, virtually NO password can’t be cracked. Tips such as using longer phrases, not words, no longer make you “immune” - they just give you more time. That is important, though: if you have reused a password (and most of us do), you have time to change the ones on all your accounts. You also have time to change the one that got stolen in the first place.

Even Fernando Corbato, the MIT computer scientist often described as the “inventor” of the password says his creation has now become “kind of a nightmare in the age of the Internet". Our tips should help you pick a handful of passwords to keep your REALLY important data safe.

Don’t use Justin Bieber lyrics

Pop culture references are not a good idea.
Pop culture references are not a good idea.

When cybercriminals settle down to crack a list of passwords, one tactic is what’s known as a “dictionary attack”. This is software which guesses every single word in the English language, one by one. Names of hit films, bands and celebrities will be in there and will be guessed early. Names such as “Superman” are surprisingly common as passwords. As are swearwords, lyrics, album names, band member names, likewise. Avoid all of these.

Don’t use your dog’s name

One in six PC users in Britain use either a pet’s name or a partner’s name as their password, according to research by Google Apps. When criminals use PCs to “guess” passwords, the software will first try out obvious words related to your life such as your hometown or your partner’s name. Hackers can often find this information freely online, either on social networks, blogs, as part of LinkedIn profiles, or job descriptions.

Two-factor systems often rely on phones
Two-factor systems often rely on phones

Don’t rely on your password alone

Technology companies hate passwords as much as you do sites trialling (and offfering) extra ways to keep accounts safe. 'Two-factor authentication' makes accounts much safer.

This process sends you a one-time code via text message or an app. Without the code, you can’t get in. This means it’s far harder to hack accounts. You have to opt-in to use this service but the option is usually found under Account or Security, or a quick search on the site you are using will find you a how-to.

Long passwords are not “safe”

For years, IT people advised that longer passwords (for instance, using a phrase, not a word) was safer. This is no longer the case. Popular password-guessing program Hashcat can guess passwords up to 55 characters long. These systems are so clever that a password-cracking program recently guessed the phrase from horror novelist H.P. Lovecraft’s 'Call of Cthulhu', ““Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1”. Not only did the password contain numbers, it was in a made-up language.

Don’t have an obvious recovery question

It is very tempting to use the same recovery question each time (such as the classic “mother’s maiden name”). The programs used by cybercriminals may be able to harvest information such as your home town - especially if you post such information on Facebook. This gives hackers a 'back door' to your password. Many sites allow you to make up your own question. Do it. Make it hard, but one you’ll remember.

[What To Do When A Big Company Leaks Your Details]
[Is Your Wi-Fi Router A Security Risk?]

Don’t use quotes, use maths

Many security experts advise using a favourite quote as a password, but newer cracking programs can guess these easily, especially if they are from a current film. Using maths equations can be memorable and secure. Something like “1hundred+2=Threethousand” is just about easy enough for a normal person to remember and the mix of numbers, special characters and words is hard to crack.

Do add numbers, just not on the end

Your IT department may force you to change your password every month or so but don’t be tempted to vary the same one, such as by adding a number on the end. In hacker slang, these easy-to-crack passwords are known as “Joe” passwords. The same goes for sites where they force you to add capital letters and numbers until your password is “strong”. Don't stick them on the end. Intersperse special characters and numbers throughout and your passwords will be tough nuts to crack.

It can be OK to reuse passwords

Almost all of us reuse passwords - in fact, some users confess to using one password EVERYWHERE (although that is a bad idea). More sensible is to reuse a password on "disposable" sites, but save the “good” passwords for important sites like banking sites, shopping sites, Facebook etc. If you’re logging in to look at a site once, use a throwaway email address and use a disposable password. If the site is hacked, it doesn’t matter - just make sure it doesn't have other details such as your credit card.

[Police Reveal The Worst Smartphone Mistakes We Make]

Don’t reuse your email password, EVER

Your email password is the worst one to lose. Criminals can often find crucial details in your Outbox or Inbox - such as account numbers, addresses, or even scans of passports. They also use the email account to reset passwords for other sites such as Amazon and PayPal. Email accounts are a goldmine for thieves. Make sure that password is strong, and not used anywhere else.

Use several methods at once

The first passwords that will be guessed by any cracking program are the obvious ones - a report this week said “Password1” still got you into one in three accounts, and others such as "123456" are similarly easy prey. What you need is a phrase that defies a computer’s logic: mix up sentences, acronyms, (such as, “jjfiaggg” - “Jumpin Jack Flash, it’s a gas, gas, gas”) and real words, and you’ll have a password that criminals will find VERY hard to crack.